HACKING WITH JAVASCRIPT

HACKING WITH JAVASCRIPTDr_aMado[Packetstorm editor's note: "hictor" previously claimed this work as his/hers. This appears to be a false claim, based on a person from triviasecurity.org claiming this work as their own, and based on searching for this work on Google and finding references to Dr_aMado. Of course, it is always difficult to verify who the true author is, so we hope you will understand any possible mistake]This tutorial is an overview of how javascript can be used to bypasssimple/advanced html forms and how it can be used to override cookie/sessionauthentication.SIMPLE HTML FORMS1. Bypassing Required FieldsSurely you have met a webpage that requires you to fill all fields in aform in order to submit it. It is possible to bypass these types ofrestrictions on any webpage. If you take a look at the webpage's source andfollow it down to the form's code, you will notice the onsubmit formattribute. Hopefully by this time you have experienced the power ofjavascript and you know that javascript has control over every singleelement in a webpage, including forms.We can use javascript to our advantagein every page we view for we can modify, delete, or add any element to thewebpage. In this case we wish to clear the form's onsubmit attribute inorder for the form to be submitted successfully.The onsubmit attribute generally points to a function that checks the formto have the correct format.  A function that does this may look somethinglike this:function formSubmit(x){if(x.email.value=="") return false;return true;}...<form name="spamform" method=post action="process.php" onsubmit="returnformSubmit(this);">...</form>I will not go into great detail about how the formSubmit function works.You should know that if the (textfield/optionfield/option/..) field is leftblank, the form will not be submitted to process.php. Now comes the momentof truth, how do we modify the form so that onsubmit returns true everytime?The way we can access the form with javascript and do this is:document.forms[x].onsubmit="return true;";ordocument.spamform.onsubmit="return true;";Both of these 'queries' will allow you to submit the form free ofrestrictions.  The secret is how to execute this.  I do this using mybrowser's Location bar. All you have to do is enter this text into thelocation bar and press enter:javascript:document.spamform.onsubmit="return true;";The above statement will not work because the 'query' will return a valuejavascript doesn't know what to do with it so it dumps the returned value onthe screen. We need a way to use this value and escape it from passing on tojavascript. I know the exact way to do this, with alert()!javascript:alert(document.spamform.onsubmit="return true;");You will see an alertbox with "return true;" instead of dumping this valueout to the webbrowser. Once you have executed this query you will be able toenter whatever value into whatever field in spamform.2. Changing Fields' ValuesIf you have managed to change a form's onsubmit attribute to let you dowhatever the fuck you want, what are the limits? Of course now you know thatyou can modify the onsubmit attribute of a form from the location bar, samegoes for any attributes of any object in the page. This is how you can doit:javascript:alert(document.spamform.fieldname.value="Dr_aMado was here!");orjavascript:alert(document.forms[x].fieldname.value="Dr_aMado was here!");But of course, you already knew that. Didn't you?  You can change thevalues of pretty much anything inside a form, including radios, checkboxes,selects, hidden values, buttons, anything!SQL INJECTIONS1.  Using Forms to Your AdvantageYou probably already know about sql injection, my goal is to explain howvulnerable forms can be if not handled correctly.  When targeting a system,most times you will start off with 0 code to exploit. The only thing youhave is a constructed webpage to break to pieces and successfully findvulnerabilities to use to your advantage.ACQUIRING DATABASE INFORMATIONA very logic way of acquiring system information from a website's databaseis by causing errors in the sql queries.  These errors can be createdthrough search forms, dynamic links, or session cookies.  Most sql injectionpapers explain how dynamic links and text boxes can be used to execute sqlqueries but in my opinion, this vulnurability is more common in other inputtypes (select boxes, hidden fields, checkboxes and radio buttons, andcookies!).Mixing data types generally crashes a webpage if it's not well coded. Takefor example a link to "memberinfo.php?o_id=1". If your goal is to crash thatpage it would be a good idea to stick in a " or a ' in the o_id variable.If you're lucky you will get a debug message containing the crippled sqlquery. After you have all the information you need and you know what you'regoing after you're ready to hack the hell out of every page that you haveaccess to.CHANGING FIELDS' VALUESThe first form you think of is the profile page.  Most profile pages ignorea user's intellectuals and don't mask out,for example, select boxes. A wayof exploiting this vulnerability is by injecting a sql query in the valueproperty of the field.javascript:alert(document.profileform.user_sex.value="gay\',user_pasword=\'HACKED\'WHERE user_id=1#");If we assume that the server side sql query looks something like this:"UPDATE user_data SETuser_password='$user_password',user_email='$user_email',user_sex='$user_sex'WHERE user_id=$user_id";Then the final query will look somewhat like this:"UPDATE user_data SETuser_password='mypassword',user_email='myemail',user_sex='gay',user_password='HACKED'WHEREuser_id=1 #' WHERE user_id=7382";# Is a sql comment operator.2.  Bypassing Session CookiesOVERRIDING BASIC SESSION COOKIE AUTHENTICATIONMost of the time session handling is done with the use of cookies. Thecookies tell the webpage who you are and what you have access to and whatyou don't have access to.  If the page does not handle session cookiescorrectly a  hacker might be able to change their identity to that ofanother user's.  Cookies are stored in "window.document.cookie".  Withjavascript we are able to erase,edit,create cookies for any website.  Thistask is more complicated than regular types of attacks. I will not go intogreat detail about how it's done.To View the Cookie:javascript:alert(unescape(document.cookie));To Change Cookie Data:javascript:alert(window.c=functiona(n,v,nv){c=document.cookie;c=c.substring(c.indexOf(n)+n.length,c.length);c=c.substring(1,((c.indexOf(";")>-1)? c.indexOf(";") :c.length));nc=unescape(c).replace(v,nv);document.cookie=n+"="+escape(nc);returnunescape(document.cookie);});alert(c(prompt("cookiename:",""),prompt("replace this value:",""),prompt("with::","")));So If You are logged in as "John Doe" in www.ima13370h4x0r.net and yoursession cookie reads:SessionData=a:3:{s:11:"SessionUser";s:5:"75959";s:9:"SessionID";i:70202768;s:9:"LastVisit";i:1078367189;}The cookie is actually serialized but you should be able to recognize"75959" as your user_id. Some of the time you will find a website thatstores data (like user_id) in cookies but does not typecast the data. Thisis a serious hole in the site's code because any user is able to changetheir user_id to any other user or administrator user_id.Changing the cookie value is easy once you have declared the window.cfunction. First change s:5:"75959" to s:x:"ADMINID" where x is the length ofthe new value. So if you want to change 75959 to 1. You must changes:5:"75959" to s:1:"1" :-) Sometimes you will need to change 75959 to "13 or1=1" in order to bypass any WHERE statements any sql session queries used tokeep you logged in the website.----------------------------------------------------------------------------------------Notes:In-line javascript statements can be added to your browser's favorites foreasier access to your own functions.It is possible to declare your own functions for use in extended hacks.Declare the function as a method of window. "alert(window.newfunction =function (){...})"----------------------------------------------------------------------------------------am hictorlezr.comthnk you rodhedorhict0r@hotmail.com_________________________________________________________________Express yourself instantly with MSN Messenger! Download today it's FREE!http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/